1. Field of the Invention
This invention pertains in general to computer security and in particular to behavior-based blocking of programs executing on a computer.
2. Description of the Related Art
Modern computer systems are often susceptible to a wide variety of security threats on the part of software that secretly performs operations not desired by the computer user, such as theft of important data, e.g. financial records. Such malicious software (“malware”) can include not only software surreptitiously smuggled onto the user's computer unbeknownst to the user, but also seemingly reputable software applications that have formerly behaved in a benign manner. This latter type of application may later begin to behave in a malicious fashion for a variety of reasons, such as the installation of an update containing malicious code inserted by an insider with access to the application code, or the triggering of “time bomb” code set to go off in response to a given event, such as the arrival of a specific date or the lapse of a given length of time since the application was installed.
Computer security solutions are generally transitioning from the more permissive “blacklist” based model in which all software not matching a set of known criteria, such as signatures of known malware, is permitted to execute freely, to a more restrictive “whitelist” based model in which only software on a “trusted” list is allowed to do so. However, since even trusted software applications may begin to behave maliciously at a future date, even whitelist-based security systems may benefit from monitoring the actual behavior of the software.
One form of such behavior-based monitoring involves examining the files and directories that the software accesses to determine aberrations that might signal malicious behavior. Unfortunately, conventional systems employing such an approach frequently incorrectly identify a particular software application as possible malware, thereby frustrating users by blocking their applications from performing their desired tasks or by issuing false alerts to which the user must respond. Such misidentifications occur particularly frequently in the case of applications accessing files that are broadly or randomly distributed, such as word processor files or image files, which are frequently saved in a variety of different locations throughout the file system.